helping people break out of pigeonholes since 2003

Bringing identity home

Identity is one of those elusive concepts that underpin several important debates. It appears to me that identity can be tied to a systemic view or an individual view. The former is the provenance of centralised systems and intrusive governments, the latter usually confined to the realms of philosophy or psychology. I’d argue that individual focus plays an increasingly important role in the online world as individuals drive their own identity. My aim (in working on the VRM project) is to find ways to equip them with better tools to continue to do so in all areas of their life, if they choose so.

Offline, we have the crowd who argue about identity in the political sphere, where the debate is really about privacy, rights of the individual, the relationship between the state and its citizens, efficacy of various methods of authentication and security implications. This involves fighting the Big and Bureaucratic Brother in all his shapes and guises, and his equally overbearing cousin the national database or register.

Online, we have the identity gangs within Identity Commons, Identity 2.0 and other identity relatedprojects. Let’s look at Dick’s articulate case for digital identity, Identity 2.0. Without going into too much details, I believe the objective is to mimic the modern identity that revolves around photo IDs (passport, driving license, student card etc) in our online identity transactions. In other words, to enable the user to have the kinds of benefit in the online environment that identity management affords us in the offline world. The requirements for that are scalability of trust, privacy, re-usability, less fragmented identity, convenient ways of accessing and managing one’s identity, secure and private handling of sensitive or private information. For example, the same way your driving license proves your age and allows you to buy alcohol legally, Identity 2.0 is about you being able to prove claims relevant to your online transactions. On another level it is making it more convenient to manage what is currently an ‘identity’ scattered across the net – the ubiquitous logins with passwords, one for every time you deal with someone who created a platform to a) interact or transact with them and b) offer some functionality/capability in exchange for your data. The requirements for that is to be simple & open.

This is all good, as Doc is fond of saying, but this is not the kind of identity I had in mind when thinking about where to start with VRM and how identity relates to it.

According to Dick Hardt identity is what I say about me and what others say about me. The latter being more trustworthy, it makes sense to identify myself through referring to someone who can corroborate what I say. I am therefore defined by external, verifiable and validated statements, facts and information – identifiers. Dick defines his identity as consisting roughly of address, date of birth, URLs of blogs he writes, emails he uses, phone numbers, banks, airlines, clothes and car brands he uses, books, movies and magazines he likes.

These are all shortcuts to what constitutes Dick Hardt as a person, they put his identity in a recognisable frame of reference and allow him to participate in identity transactions.

In the offline world identity is really third-party driven, to put it crudely, we are what our papers say we are. Your birth certificate attests to your date of birth, your utility bills to your residence, your diploma to your education etc etc. It has been so because our identity management has had several fundamental features – it is centralised, system-centric and it is read-only. We are used to deriving our authority and credibility from a system that grants and confirms it. It is important that we can do that as the only way we can transact in a hierarchical environment is via authorisation from the level above us. (a definition of hierarchy is that in order to interact with somebody on the same level I have to go via a superior level).

Whatever the web turns out to be, it is not a hierarchy. It is a network, i.e. a heterarchy, a network of elements in which each element shares the same “horizontal” position of power and authority, each playing a theoretically equal role. This has impact on how my identity is defined and who defines it. From blogs to social network profiles, people are learning how to define their thoughts and ideas, record their lives in multimedia formats, share their experiences, swarm around causes and defy companies, institutions and authorities. From linky love to P2P, they are bypassing traditional media and distribution channels, learning the ways of direct connections.

People online build and destroy reputations, create and squander careers, establish themselves as experts or celebrities. That’s the bird’s eye view. The closer look reveals emergence of self-defined (and self-driven) identities. By writing I learn to articulate my thoughts better, by sharing I learn to differentiate from, as well as identify with, others. I become aware of myself and my preferences in ways that in the times before the web were available to a select few – writers, artists, politicians and the more articulate celebrities. We have ways of connecting with others who become validators and authenticators of our self-defined and persistent identities. The challenge is to understand and find how to evolve and use those for other than communication and information transactions.

And yet, instead we build platforms – vestiges of offline identity – third-party defined spaces designed to ‘contain’ bits of your identity. They clash with my ability as an individual to define and drive my identity. Over time I learn to manage who I am and as more tools and networks emerge my fractured existence, scattered across others’ silos becomes more obvious. The silos are a result of various platforms vying for my data, offering bits and pieces of functionality that I find useful and empowering. It got me where I am now as an ‘empowered’ individual. However, a picture of fractured identity emerges.

Centralised database(s) of identity information and its verification, authentication etc is based on a hierarchy mindset. In a heterarchy, each node is self-defined first and then defined by its relationships. I want to have an identity that evolves and exists in a network, i.e. a structural heterarchy. Why not start by ‘defragging’ identity by outsourcing its definition to individuals as they are capable of creating much richer identities than any system.

To my amazement I often see logins and passwords to various sites and platforms described as “identity”. I don’t think of them as my identity, but as things that I currently need to access bits of my scattered identity, at best they are my meta-identity. (Btw, by self-defined identity I am not referring to self-asserted identity which still relates to identifiers of the kind I’d call meta-identity. I am looking for ways of establishing identifiers that are part emergent, part validated by relationships rather than by a systemic-level third parties designed to do that. Let’s not have a ‘centralised’ trust, let’s have distributed one.)

What I want is option (with set of tools) for individuals taking charge of their identities.* And on the web that starts with exercising sovereignty over my data. This alternative must be networked and not third party dependent or platform based. As I have said before, there are only two ‘natural’ online platforms – the individual and the web.

But what about authentications and authorisations that are needed for transactions, aside from all the fluffy social empowering self-publishing identity utopia? …I hear you cry. As is often the case on the web, there may be other ways to skin the authentication cat than using identity. The key is in realising that authorisation and identity are related but separate.

Authentication is the act of establishing an identity – this is separate from the existing identity approach where the focus is on collection and disbursement of bits of data to do with someone. The cheap and cheerful explanation of this is that you can authenticate with a password (i.e. something that only you know). However, that password need not reveal anything about you/your identity. It just reveals that you are someone who knows the password. Therefore, authentication is free to be separate from identity. They are in separate but related domains. Have I mentioned that they are separate?

The latter tends to be a bit weak, as authentication goes, in my experience it is prone to social hacking. Good authentication might be combining something like: KNOWING the password that UNLOCKS the certificate that you HAVE on the laptop, that permits a remote website to challenge you and get the response it expects, since it KNOWS that you have your certificate on your laptop…

In short, let me have a go at my identity myself, on my own terms, the web way, without intermediaries, ‘trusted’ parties and hierarchical non-direct ways. Locking me into new ‘better’ platforms, offering ’services’ to manage my meta-identity is like putting a band-aid on a gaping wound. Instead, give me tools, flexible and modular, to reclaim my digital personae, help me piece together my fractured identity. And then allow me to drive it forward with all of the benefits that it can bring me and to those I interact and transact with. Learn to live with the unpredictability and emergent juicy goodness that comes from my independence and lack of your control over me. Finally, let me learn from my mistakes, my first uncertain steps with my data sovereignty. Without those how can I ever learn to fully value privacy, security and engage in mutually beneficial interactions?

*I plan to cover this in more detail in the upcoming white paper on the infrastructural level elements (the Mine! and FeedMe) that enable people to reclaim their data, manage and share them on their own terms whilst being connected, networked and part of the web.

[...] Adriana at Media Infuencer has written something of a manifesto on taking charge of one’s own identity: What I want is option (with set of tools) for individuals taking charge of their identities.* And on the web that starts with exercising sovereignty over my data. This alternative must be networked and not third party dependent or platform based…. [...]

Great exposition, Adriana – thank you for taking the time to put your thoughts into words.

One observation to be going on with: I’m not sure that other people’s assertions about you are inherently more trustworthy than your own. After all, it may well be in someone else’s interest to lie about you, just as it is sometimes in your own interest to lie about yourself. (”It wasn’t me who broke that window – it was Adriana…”).

Examples like driving licences and bank credentials are useful because they clarify that the reason the credentials are useful is because there’s a trade-off of one set of interests against another. I want a driving licence in order to be able to get around; the DVLA and police want my driving licence to be accurate so they can enforce the law; a third party might assume that my driving licence is a reliable credential because the law enforcers have a strong interest in making it so (and the means to punish me if I lie about myself).

It points the way to a future where the internet is used to gather ‘low-trust’ evidence in support of an assertion, on a scale which is practically impossible to subvert, and which makes it as reliable as a smaller number of high-trust credentials (such as we have at the moment).

This approach assumes that the third parties either have some interest in ensuring that data about you is accurate, or at least that they are neutral as to its accuracy but have an interest in maintaining its integrity.

[...] “Identity” in all its various forms, however it has evolved into a companion piece to Adriana’s musings on identity – not only because upon reading her posting I found us using like words and like metaphors to much [...]

The adblocking revolution is months away (with iOS 9) – with trouble for advertisers, publishers and Google | The Overspill: when there’s more that I want to say “discussion of this post on Hacker [...] […]

Contact us – Simply Secure Contact us To join the conversation about usable security, follow us on Twitter (@simplysecureorg) or join us on Slack (email slack@simplysecure.org Posted from Diigo. The rest of my favorite links are here. […]